[Jailkit-users] jailkit config on solaris 9/10

[Lea Andersen]

Hi Olivier,

I have successfully set up Jailkit 2.14 on RH5, 64-bit Linux, but the
Solaris sparc configuration has been very difficult to debug.  I'm
getting the same errors on both Solaris 9 and Solaris 10.  There is a
core dump which lands in the user's upload directory when I sftp or
scp into the jailed user account.  The connection is closed right
away.

Here I have attempted to sftp as jailed user "qclick2" (output:
Connection closed), and ran "strings" on the core dump: "strings core
> core.out":

vi core.out:
-snip-
jk_lsh version 2.14, started
USER
cannot find group name for gid %d: %s
/etc/jailkit/jk_lsh.ini
WARNING: user %s (%d) tried to get an interactive shell session (%s), which is n
ever allowed by jk_lsh
configfile /etc/jailkit/jk_lsh.ini is not available
umask
environment
allow_word_expansion
paths
the requested executable %s is not found
executables
section %s does not have a key executables
WARNING: user %s (%d) tried to run '%s', which is not allowed according to /etc/
jailkit/jk_lsh.ini
cannot find user info for USER %s: %s
abort, running as UID %d, but environment variable USER %s has UID %d
DEFAULT
did neither find a section '%s', nor 'group %s' nor 'DEFAULT' in configfile /etc
/jailkit/jk_lsh.ini
cannot find user info for uid %d: %s
executing command '%s' for user %s (%d)
WARNING: running %s failed for user %s (%d): %s
WARNING: check the permissions and libraries for %s
path %s is a symlink
path %s is setuid
path %s is setgid
path %s is group writable
path %s is writable for others
path %s is not owned by user %d
path %s is not owned by group %d
         (((((                  H
 !"#$%&'()*+,-./0123456789:;<=>address@hidden
PQRSTUVWXYZ{|}~
GMT0
qclick2
-snip-
3062:
ick2:x:3062:3062::/home/qclick2:/usr/sbin/jk_lsh
[DEFAULT]
paths= /usr/bin, /usr/lib/
executables= /usr/bin/scp, /usr/lib/ssh/sftp-server
allow_word_expansion = 1
umask = 111
xdr_array: out of memory
xdr_reference: out of memory
oY7uVV0
6$w C
!nY)
-snip-

I have noticed "out of memory" throughout the core dump, but the
memory on the system looks fine.

I have also run truss on the PID, similar to your FAQ example using strace:

(sftp from window 1)

(window 2: the chroot jail server)
truss -p 22813
poll(0xFFBFD6C0, 1, -1)         (sleeping...)

(type in the passwd in window 1)

(output from window 2)
poll(0xFFBFD6C0, 1, -1)                         = 1
read(3, "9794 N 6C1 9 :B2 fCF92 )".., 8192)     = 144
write(7, "\0\0\0\f\n", 5)                       = 5
write(7, "\0\0\007 q c l i c k 2", 11)          = 11
read(7, "\0\0\005", 4)                          = 4
read(7, "\v\0\0\001", 5)                        = 5
fstat(-1, 0xFFBFECA0)                           Err#9 EBADF
fstat(-1, 0xFFBFE070)                           Err#9 EBADF
open("/dev/conslog", O_WRONLY)                  Err#2 ENOENT
fcntl(-1, F_SETFD, 0x00000001)                  Err#9 EBADF
fstat(-1, 0xFFBFE070)                           Err#9 EBADF
fstat(-1, 0xFFBFEAD0)                           Err#9 EBADF
write(4, "C1FED1E4C4 $ E82E398C3C8".., 32)      = 32
write(7, "\0\004 j18", 5)                       = 5
write(7, "\0\0\014 ~99 /85CEBF\n W".., 1129)    = 1129
_exit(0)

I was hoping this truss-type output may indicate the error, but so far
it's been difficult for me to decode.

I have run ldd on both scp and sftp-server to confirm the needed
libraries are in the jail.  I've looked in both /var/log/authlog and
/var/adm/messages for clues.  (Everything that was reported there as
an error, I've fixed.  I had to remove several symbolic links re:
complaints about permissions and ownership.)

I configured my /etc/jailkit/jk_init.ini with all the default Solaris
settings before initializing.

What is the next thing you recommend trying?  I'm at a loss, I've been
working on this for 1-2 weeks now.

Thanks,
Lea